We all know Yahoo is a company that prides itself on hiring H1-B Visaclowns who are totally incompetent. Wihness the destruction of YahooGroups' message archives and the dumbed-down and nearly unusable NEOinterface that infected Yahoo Groups mid-August 2013. And, of course,Yahoo Email is one of the longest-running jokes on Earth far surpassingAOL's clown circus. You'd be well-advised to abandon Yahoo and YahooMail immediately.

Lest readers think "catastrophic" is too exaggerated a description forthe critical defect affecting an estimated two-thirds of the Internet'sWeb servers, consider this: at the moment this article was beingprepared, the so-called Heartbleed bug was exposing end-user passwords,the contents of confidential e-mails, and other sensitive data belongingto Yahoo Mail and almost certainly countless other services.

The two-year-old bug is the result of a mundane coding error in OpenSSL,the world's most popular code library for implementing HTTPS encryptionin websites, e-mail servers, and applications. The result of a missingbounds check in the source code, Heartbleed allows attackers to recoverlarge chunks of private computer memory that handle OpenSSLprocesses. The leak is the digital equivalent of a grab bag that hackerscan blindly reach into over and over simply by sending a series ofcommands to vulnerable servers. The returned contents could includesomething as banal as a time stamp, or it could return far more valuableassets such as authentication credentials or even the private key at theheart of a website's entire cryptographic certificate.

Underscoring the urgency of the problem, a conservatively estimatedtwo-thirds of the Internet's Web servers use OpenSSL tocryptographically prove their legitimacy and to protect passwords andother sensitive data from eavesdropping. Many more e-mail servers andend-user computers rely on OpenSSL to encrypt passwords, e-mail, instantmessages, and other sensitive data. OpenSSL developers have releasedversion 1.0.1g that readers should install immediately on any vulnerablemachines they maintain. But given the stakes and the time it takes toupdate millions of servers, the risks remain high. Enter Yahoo Mail

For an idea of the type of information that remains available to anyonewho knows how to use open source tools like this one, just considerYahoo Mail, the world's most widely used Web mail service. The imagesbelow were recovered by Mark Loman, a malware and security researcherwith no privileged access to Yahoo Mail servers. The plaintext passwordsappearing in them have been obscured to protect the Yahoo Mail usersthey belong to, a courtesy not everyone exploiting this vulnerability islikely to offer. To retrieve them, Loman sent a series of requests toservers running Yahoo Mail at precisely the same time as the credentialsjust happened to be stored—Russian roulette-style—in Yahoo memory.

Hackers can repeat the process over and over on unpatched servers andthen use freely available software to scan the results for all kinds ofsensitive data. In theory, attackers may also be able to query clientmachines running OpenSSL-powered software to retrieve large chunks ofsensitive memory, too. (Private) keys to the kingdom

The huge number of servers running software vulnerable to Heartbleedexploits isn't the only thing that makes patching difficult. That'sbecause one of the crucially sensitive pieces of information potentiallyexposed by the vulnerability is the private key that corresponds to awebsite's digital certificate. Attackers who get access to the privatekey can use it to impersonate a site even after the OpenSSL patch isapplied. What's more, for sites that don't use a cryptographic propertyknown as perfect forward secrecy, attackers might be able to use the keyto decrypt data already sent. And of course, any sensitive datatransmitted between the time the flaw was discovered and when it waspatched remains potentially compromised.

All of this means that applying the OpenSSL patch is only the startingpoint on the multi-step path of Heartbleed recovery. Website operatorsshould strongly consider replacing their X.509 certificates afterapplying the update and getting all users and administrators to changepasswords as well. While it's possible that none of this data has beencompromised, there's no way to rule it out, either.

It's probably premature for users to replace passwords across the board,but for sites they know have received the OpenSSL patch, it may be agood idea to change login credentials. People who are truly securityconscious may want to change passwords a second time if they notice apatched site later updates its digital certificate.

In the meantime, readers should steer clear of Yahoo Mail and any othersites that are still running vulnerable versions of OpenSSL. The logincredential you save may be your own.

Post by Eric WeaverC'mon, Heartbleed applies not only to the 'hoo but almost certainly toGmail and "Outlook".

It may or may not have applied to Google and/or Gmail; if they werevulnerable well after the announcement nobody publicized it. Yahoo was(though it now seems to pass). Of course it's completely unhelpful totalk about "Outlook" in this context, since it's just a piece ofsoftware (which probably isn't even linked to the OpenSSL library).

Either a site patched in a timely fashion or they didn't; Yahoo didn't.

Post by Eric WeaverC'mon, Heartbleed applies not only to the 'hoo but almost certainly toGmail and "Outlook".

It may or may not have applied to Google and/or Gmail; if they werevulnerable well after the announcement nobody publicized it. Yahoo was(though it now seems to pass). Of course it's completely unhelpful totalk about "Outlook" in this context, since it's just a piece ofsoftware (which probably isn't even linked to the OpenSSL library).

Actually "Outlook" is the current branding of "Hotmail" and in thatsense was I using the term.

Yahoo web site was apparently patched last night, at least their webservers:<http://filippo.io/Heartbleed/#www.yahoo.com>

The port 443 webmail login page at mail.yahoo.com was being blockedfor most of the morning, but apparently just appeared as patched(10am).<http://filippo.io/Heartbleed/#mail.yahoo.com>I haven't tried the backend servers yet.

This example of how one company patched 60,000 servers might helpexplain why Yahoo was rather slow:<https://www.getpantheon.com/heartbleed-fix>

Post by Jeff LiebermannThis example of how one company patched 60,000 servers might help<https://www.getpantheon.com/heartbleed-fix>

That should be 60,000 sites, not servers. Some are probably virtualservers.

Incidentally, 60,000 sites in 12 hrs is 1.4 sites per second which isabout what I might expect from a single shell script running from anadmin machine.

This is 5 years old, but still interesting:<http://www.datacenterknowledge.com/archives/2009/05/14/whos-got-the-most-web-servers/>(Yahoo has) ...likely has more than 100,000 servers inoperation to support its large free hosting operationas well as its paid hosting service and Yahoo Stores.So, using a similar method, that would be well over 20 hrs to patchall the Yahoo servers, sites, or whatever.

Post by Keith KellerIt may or may not have applied to Google and/or Gmail; if they werevulnerable well after the announcement nobody publicized it.

Remember that Google is another Apple: a cult. There's a fascinatingarticle making the rounds about a potential billion dollar lawsuit becauseGoogle, Apple, and some others conspired to NOT offer jobs to people whowork at each other's companies. Not only is it against the law, there areemails from Eric Schmidt, the then Google CEO, stating that he was worriedabout this conspiracy being against the law.

Here's one link:http://appleinsider.com/articles/14/04/08/apple-google-others-could-pay-blindingly-high-9b-in-anti-poaching-class-action-suit

So, my point is that there are many people at Google, as well as those whowork around them or do business with them, who are not going to spill thebeans on any vulnerabilities. Yahoo then becomes punching bag instead,because "nobody cool" works at Yahoo.

Post by David KayeSo, my point is that there are many people at Google, as well as those whowork around them or do business with them, who are not going to spill thebeans on any vulnerabilities.

Nobody inside has to spill the beans. People can test for thisvulnerability for themselves. That is how people knew Yahoo was stillvulnerable. If I forgot to post a link to the tester, Jeff posted alink to one today.

Post by Keith KellerNobody inside has to spill the beans. People can test for thisvulnerability for themselves. That is how people knew Yahoo was stillvulnerable. If I forgot to post a link to the tester, Jeff posted alink to one today.

AFTER the fact. It's easy to go back through the rabbit hole once you foundit. It's something else entire to test everything against all possibilitiesunless you can make money at it, either as a paid tester or as an exploiterof the loopholes.

Don't you remember when people were going on and on about how Apple's OS wasinvulnerable to attack? We who knew better said it was only because theydidn't have a large enough installed user base to attract the attention ofthe malware writers. And even when malware began to appear, the Appledefenders said it was just a fluke. And then Steve Jobs banned Adobe'sproducts on Apple products because they had holes big enough to drive atruck through. And STILL they didn't believe; they felt it was a tiffbetween Jobs and Adobe or that Apple was working on a better version ofFlash, or something.

People who embrace companies like a religion (Apple, Google, Facebook) aregoing to defend it to the exclusion of reason. Religion is not rational.Ready now? "You cannot use logic to argue someone out of a position if theydid use logic to get themselves into it."

Post by Steve PopeI wouldn't claim that, but I will claim that the best encryptionin use is not open source.

What is "the best encryption in use", then? Name a product!--keith

The "best" as in the most useable, or the "most secure" as inunbreakable? If the "best", methinks Truecrypt perhaps, althoughthere is some controversy:<http://www.truecrypt.org><http://www.computerworld.com/s/article/9243873/NSA_spying_prompts_open_TrueCrypt_encryption_software_audit_to_go_viral><http://istruecryptauditedyet.com>I use it carrying around documents on flash drives or storing passwordfiles on my hard disk.

For the "most secure", I have no clue. Probably something thegovernment put together for their own use. Or maybe a one time padsystem:<http://www.unbreakable-crypto.com>

The "best" as in the most useable, or the "most secure" as inunbreakable?

Well, in the context of Heartbleed, and Steve's unproveable comment that''commercial'' is better than open source, I would say that it has to beable to replicate the functionality of OpenSSL in an https session. Soa web server needs to be able to use the library, and web browsers needto be able to communicate with such a server. (I don't think therequirement should be "can currently be used in Apache httpd" or "is adrop-in replacement for OpenSSL"; rather, it should be more along thelines of "with proper coding, could be used in Apache httpd".)

From what I know of Truecrypt, it would not qualify under the above,since from what I can tell it's mainly for file or volume encryption.

Post by Jeff LiebermannFor the "most secure", I have no clue. Probably something thegovernment put together for their own use. Or maybe a one time pad

A one-time pad is certainly the gold standard, but for better or worsemany users would resist such measures. (And distribution of pads wouldcause logistical problems.) You'd also still need some way ofencrypting the initial communication, so that the one-time key couldn'tbe sniffed (since they aren't instantaneous, an attacker could intheory sniff the key and, if he was fast enough, connect to the serverand impersonate the victim).

The "best" as in the most useable, or the "most secure" as inunbreakable?

Well, in the context of Heartbleed, and Steve's unproveable comment that''commercial'' is better than open source, I would say that it has to beable to replicate the functionality of OpenSSL in an https session.

Sorry, I misunderstood.

Please note that the Heart Bleed problem was caused by a coding error,and not a problem the basic design, which might justify a replacement.

Post by Keith KellerSoa web server needs to be able to use the library, and web browsers needto be able to communicate with such a server. (I don't think therequirement should be "can currently be used in Apache httpd" or "is adrop-in replacement for OpenSSL"; rather, it should be more along thelines of "with proper coding, could be used in Apache httpd".)

Well, in terms of implementation, SSL/TLS is far from perfect. See:<http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher>In terms of current web browsers, none of them have fixed even knownvulnerabilities in SSL/TLS.<http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers>Whether it is justified to replace SSL/TLS with a better cipher or tojust fix the problems, is subject to further debate. I'm notqualified to offer a replacement or even hold an opinion (which isanother reason I should probably stay out of security debates).

Post by Jeff LiebermannFor the "most secure", I have no clue. Probably something thegovernment put together for their own use. Or maybe a one time pad

A one-time pad is certainly the gold standard, but for better or worsemany users would resist such measures. (And distribution of pads wouldcause logistical problems.) You'd also still need some way ofencrypting the initial communication, so that the one-time key couldn'tbe sniffed (since they aren't instantaneous, an attacker could intheory sniff the key and, if he was fast enough, connect to the serverand impersonate the victim).

That's usually handled by re-negotiating for a new key at regularintervals. For example, wireless WPA typically re-keys every 10minutes. (The range of acceptable values is usually 600 - 7200seconds although some go up to 65536 seconds). DBS satellite andcable TV encryption work much the same way (I forgot the intervals).In theory, one could crack an individual key in a reasonable amount oftime, but cracking multiple keys takes much too long.

Besides being impractical for web browser security, and for thereasons you mention, a one-time pad also has a big problem that if thelist of one-time keys are leaked, all the previous and future messagescan be read.

Post by Jeff LiebermannPlease note that the Heart Bleed problem was caused by a coding error,and not a problem the basic design, which might justify a replacement.

You and I know that. Apparently not everyone does. The goto fail bugin commercial OS X and iOS was also a coding error.

Post by Jeff Liebermann<http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher>In terms of current web browsers, none of them have fixed even knownvulnerabilities in SSL/TLS.<http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers>Whether it is justified to replace SSL/TLS with a better cipher or tojust fix the problems, is subject to further debate.

I suspect that this issue is orthogonal to the quality of theimplementation, which seems to be what Steve was questioning (though nowI'm not so sure). We will need to let him elaborate on his criteria for"better" encryption than "open source" (and more importantly, name the"better" encryption suites that he believes exist).

Post by Jeff LiebermannI'm notqualified to offer a replacement or even hold an opinion (which isanother reason I should probably stay out of security debates).

Based on the posting history of ba.internet, I would suggest that youare the most qualified of the group's regular posters to offer anopinion on these matters. I would certainly never take anyone else'sword here (including my own) on encryption questions! But one of thereasons you are more qualified is that you provide evidence for yourclaims in the form of reputable citations (a behavior I try to emulate,unfortunately unsuccessfully more often than not).

Post by Jeff LiebermannBesides being impractical for web browser security, and for thereasons you mention, a one-time pad also has a big problem that if thelist of one-time keys are leaked, all the previous and future messagescan be read.

Exactly what I was thinking--if the OTP had been stored in aHeartbleed-vulnerable service, for example, all the one time pads wouldneed to be replaced. That'd be way more painful than what admins arecurrently facing under Heartbleed!

Post by Keith KellerI suspect that this issue is orthogonal to the quality of theimplementation, which seems to be what Steve was questioning (though nowI'm not so sure).

I'm questioning both the quality of the implementation, andthe engineering soundness of claming any level of security ina system that cannot possibly be secure. Look at what has happened.There is no communications security; there is no informationsecurity except within a very narrow layer of the protocol stack.Therefore, any bug anywhere in the system can create a hugegaping security hole.

The pricinples are not rooted in security, they are rooted incheapness, high transaction abilty, and marketing.

Post by Thad FloryanWe all know Yahoo is a company that prides itself on hiring H1-B Visaclowns who are totally incompetent. Wihness the destruction of YahooGroups' message archives and the dumbed-down and nearly unusable NEOinterface that infected Yahoo Groups mid-August 2013. And, of course,Yahoo Email is one of the longest-running jokes on Earth far surpassingAOL's clown circus. You'd be well-advised to abandon Yahoo and YahooMail immediately.

This story actually made it to TV news last night. Hopefully it beingpublicized in the mass media will help spur more people to abandon YahooMail.

While I've done my part to warn friends, relatives, and colleagues aboutYahoo Mail, and nearly everyone I know has abandoned it, there are stillmany non-tech-savvy people that don't know about the issues. Then thereare those people that do know about all the problems but ignore or denythem.

Post by Thad FloryanWe all know Yahoo is a company that prides itself on hiring H1-B Visaclowns who are totally incompetent. Wihness the destruction of YahooGroups' message archives [....]

I'm confused. The list I've run the longest, SF Games, has every messageback to the beginning on January 23, 2000, when I welcomed people to thelist. At least every random title I've clicked on has had a messageattached.

I'll be the first to admit that the new look is horrible and managementbeyond simple things is difficult. However, I run SF Games as an opt-inlist, where people can simply send a "subscribe" email to the list and nothave to fuss with Yahoo's web interface at all. We have 469 members atpresent.

Post by Thad Floryanand the dumbed-down and nearly unusable NEOinterface that infected Yahoo Groups mid-August 2013. And, of course,Yahoo Email is one of the longest-running jokes on Earth far surpassingAOL's clown circus. You'd be well-advised to abandon Yahoo and YahooMail immediately.

Nearly all my email accounts are on Yahoo mail, and I haven't had anyproblems except for ONE: I get a rejected email and a 550 error when I sendany email to kcsm.org. It's some sort of spamblocker somewhere in theirchain. This is the only address where my email has ever been rejected.

But I'll also say that I try not to put any mission-critical information onany email message. For the longest time Yahoo (and others) ran emailunencyrpted, so I was well aware that anybody doing any packet sniffingbetween me and Yahoo and between Yahoo and the recipient would be able toread my email. So, I just assumed/assume that all email is public.

Post by David KayeBut I'll also say that I try not to put any mission-critical information onany email message. For the longest time Yahoo (and others) ran emailunencyrpted, so I was well aware that anybody doing any packet sniffingbetween me and Yahoo and between Yahoo and the recipient would be able toread my email. So, I just assumed/assume that all email is public.

Same here. I sorta inherited several Yahoo accounts viaPacBell/SBC/AT&T DSL accounts. I use them for trivial junk, likereading Yahoo groups and complaining to AT&T about the DSL service.

However, for stuff I really care about, I use Enigmail for Thunderbirdand GNU Privacy Guard (GNUpg) on Linux and GPGmail on OS/X[1]:<https://www.enigmail.net/home/index.php><https://addons.mozilla.org/en-us/thunderbird/addon/enigmail/><http://en.wikipedia.org/wiki/GNU_Privacy_Guard>I'm involved currently in 3 virtual companies. All our internal emailhas been encrypted for many years. The email is also "salted" withtempting traps, such as people and telephone extension numbers thatdon't exist, but are logged. So far, no leaks.

There's nothing I can do to stop someone from somehow grabbing mypassword, such as with Heart Bleed, and trying to read my mail, orimpersonate me. Without my X.509 certificate and private key, theywon't be able to do much. Also, I don't leave mail on any public mailserver for very long. We used to have various private mail servers,but got tired of constant updates, spam filtering, maintence, etc.

The bottom line is that if you REALLY want and need security, privacy,and reliability, you have to do most of the work yourself.

[1] I haven't tried APG on Android yet.<https://play.google.com/store/apps/details?id=org.thialfihar.android.apg>I just got a new Google Nexus 7 tablet, so I guess it's time to tryit.

Post by Jeff Liebermann[1] I haven't tried APG on Android yet.<https://play.google.com/store/apps/details?id=org.thialfihar.android.apg>I just got a new Google Nexus 7 tablet, so I guess it's time to tryit.

You need to pair it with K-9 Mail for best effect. It works pretty well onceyou get your keys imported. I've used it on-and-off on my Android phone fora while now.